HSRP (Hot Standby Routing Protocol)

In this lesson I will explain how HSRP (Hot Standby Routing Protocol) works and how to configure it. If you have no idea what virtual gateways are about then make sure to read my introduction lesson first.

Here’s the topology I will use:

Here’s what we have:

SW1 and SW2 are multilayer switches. The 192.168.1.0/24 subnet belongs to VLAN 1 and there is one host device.

IP address 192.168.1.254 will be used for the virtual gateway address.

The multilayer switches are connected with layer three interfaces to an upstream router called R3.

Let’s look at the configuration.

Configurations

Configurations

Want to try this example yourself? Here you will find the startup configuration of each device.

Use the standby command to configure HSRP. 192.168.1.254 will be the virtual gateway IP address. The “1” is the group number for HSRP. It doesn’t matter what you pick just make sure it’s the same on both devices. On your console you’ll see something like this:

Depending on which switch you configured first you’ll see these messages. One of the switches will be the active gateway, the other one goes in standby mode. Let’s see if we can reach this virtual gateway from our host:

As you can see we can successfully reach the virtual gateway IP address.

That wasn’t too bad right? Only one command and HSRP works! There are a couple of other things we have to look at though. We use 192.168.1.254 as the virtual IP address but what MAC address will it use?

You can see the MAC address of 192.168.1.254 in the ARP table, where did this MAC address come from?

0000.0c07.ac01 is the MAC address that we have. HSRP uses the 0000.0c07.acXX MAC address where XX is the HSRP group number. In my example I configured HSRP group number 1. There are a couple of other interesting things to check, take a look below:

SW1#show standby
Vlan1 - Group 1
State is Standby
3 state changes, last state change 00:03:33
Virtual IP address is 192.168.1.254Active virtual MAC address is 0000.0c07.ac01 (MAC Not In Use)
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.144 secs
Preemption disabledActive router is 192.168.1.2, priority 100 (expires in 7.776 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl1-1" (default)

Use the show standby command to verify your configuration. There’s a couple of interesting things here:

We can see the virtual IP address here (192.168.1.254).

It also shows the virtual MAC address (0000.0c07.ac01).

You can see which router is active or in standby mode.

The hello time is 3 seconds and the hold time is 10 seconds.

Preemption is disabled.

The active router will respond to ARP requests from computers and it will be actively forwarding packets from them. It will send hello messages to the routers that are in standby mode. Routers in standby mode will listen to the hello messages, if they don’t receive anything from the active router they will wait for the hold time to expire before taking over. The hold time is 10 seconds by default which is pretty slow; we’ll see how to speed this up in a bit.

Each HSRP router will go through a number of states before it ends up as an active or standby router, this is what will happen:

State

Explanation

Initial

This is the first state when HSRP starts. You’ll see this just after you configured HSRP or when the interface just got enabled.

Listen

The router knows the virtual IP address and will listen for hello messages from other HSRP routers.

Speak

The router will send hello messages and will join the election to see which router will become active or standby.

Standby

The router didn’t become the active router but will keep sending hello messages. If the active router fails it will take over.

Active

The router will actively forward packets from clients and sends hello messages.

We can see all these steps with a debug command. Let’s shut the VLAN 1 interfaces first so that we can restart HSRP:

Above you can clearly see the different states we go through before we end up in the active state. Right now SW1 is the only switch that is running HSRP so let’s enable the VLAN 1 interface of SW2 as well:

Above we can see that SW2 is seeing 192.168.1.1 (SW1) as the active router. Eventually it ends up in the standby state.

Active Gateway Election

Why did SW2 go in standby mode instead of SW1?

By default the switch with the highest priority will become the active HSRP device. If the priority is the same then the highest IP address will be the tie-breaker. Let’s take a look at the priorities:

SW1#show standby | include Priority
Priority 100 (default 100)

SW2#show standby | include Priority
Priority 100 (default 100)

The priority is the same on both switches, SW2 has a higher IP address so it should become the active router but it’s not. Let’s try increasing its priority:

By default preemption will take effect immediately but it might be a good idea to use a delay. If a router or reboots it might need some time to “converge”. Maybe OSPF or EIGRP need to form neighbor adjacencies or spanning-tree isn’t ready yet unblocking ports. If you want to add a delay then you can do it like this:

This ensures that all packets sent between the two switches are authenticated. This prevents someone on the 192.168.1.0/24 subnet from joining our HSRP setup.

HSRP Timers

By default HSRP is pretty slow. SW1 is my standby router and it will wait for 10 seconds (hold time) before it will become active once SW2 fails. That means we’ll have 10 seconds of downtime…let’s see if we can speed that up:

I’ve set the hello time to 100 milliseconds and the hold timer to 300 milliseconds. Make sure your hold time is at least three times the hello timer. Let’s verify our work:

SW1#show standby | include time
Hello time 100 msec, hold time 300 msec

SW2#show standby | include time
Hello time 100 msec, hold time 300 msec

HSRP Version 1 and 2

There are two versions of HSRP and depending on the router or switch model you might have the option to use HSRP version 2. You can change the version by using the standby version command.

HSRPv1

HSRPv2

Group Numbers

0 – 255

0 – 4095

Virtual MAC address

0000.0c07.acXX (XX = group number)

0000.0c9f.fxxx (XXX = group number)

Multicast Address

224.0.0.2

224.0.0.102

Let’s try switching our devices to HSRP version 2:

SW1 & SW2
(config)#interface Vlan 1
(config-if)#standby version 2

SW1#show standby | include version
Vlan1 - Group 1 (version 2)

That’s all there is to it.

Interface Tracking

There is one more thing we need to look at and it’s called interface tracking. Take a look at the following picture:

In the picture above SW2 is the active router because we changed the priority to 150. That’s great but what if the interface on SW2 to R3 fails? It will be the active router but it doesn’t have a direct path to R3 anymore.

When this happens it will send an ICMP redirect to the computer. It would be better if SW1 becomes the active HSRP router in case this happens.

HSRP offers a feature called interface tracking. We can select an interface to track and if it fails we will give it a penalty. This way your priority will decrease and another device can become the active router.

Make sure you have enabled preemption if you want to use interface tracking. Here’s an example:

SW2(config)track 1 interface GigabitEthernet 0/2 line-protocol

First we configure object tracking for the GigabitEthernet 0/2 interface. When the line-protocol changes (goes down) then the object state will change.

You can see the priority is now 90 instead of the 150 that we configured.
You can see the priority is now 90 which is lower than SW1 (100). As a result SW2 will go to the standby state and SW1 will move to the active state. Interface tracking is useful but it will only check the state of the interface. It’s possible that the interface remains in the up state but that we are unable to reach R3. It might be a better idea to use IP SLA instead since it can check end-to-end connectivity.

Conclusion

You have now seen how to configure HSRP, how to enable authentication and how to “tune” some of its parameters. I hope this has been useful. Share it with your friends and/or colleagues. If you have any questions feel free to leave a comment in our forum.

Forum Replies

the thing is SwitchA does not have the option standby under interface, not unless i convert this interface as a layer 3 int with command “no switchport”, then it has the option, but when i try to type the following command

standby 1 ip 192.168.1.3

then it give me the error that overlaps with vlan 1, and this is because the layer 3 interface does not belong to any vlan, can you please advice.

You can only use configure HSRP / VRRP / GLBP on “routed” (L3) interfaces, not on switchports (L2 interfaces).

You have two options:

Configure the standby commands on the VLAN interface, all switchports that are in the same VLAN will be able to reach the virtual IP address.

or

Make a switchport a “routed” interface by using “no switchport” and configure the standby commands on this interface. In this case only devices that are connected to this interface will be able to reach the virtual IP address.

I know it is best practice to have the HSRP hold timer be at least 3x’s the hello, but I did some lab testing and it appeared to work ok for instance with the hold time 2x’s the hello. Is this expected - is the idea just to have the hold time be large enough to not cause an unnecessary transition and that is what Cisco found to be best practice?

What are the benefits of HSRP v2 over v1 - is it just the increased number of HSRP group numbers supported?

Let’s begin with Cisco’s explanation and we’ll go from there. Cisco says that this command:

Sets the priority level used to select the active router in an HSRP group. The level range is from 0 to 255. The default is 100. Optionally, sets the upper and lower threshold values used by vPC to determine when to fail over to the vPC trunk. The lower-value range is from 1 to 255. The default is 1. The upper-value range is from 1 to 255. The default is 255.

New Lessons

Testimonials

Great Troubleshooting Resource

I cannot be more grateful to have found NetworkLessons.com to prepare for my CCIE journal. Rene really makes these topics very easy to understand and using real life examples, giving us proof of concept how different networking technologies work.

Jose AndaNetwork EngineerMay 9, 2016

Explains Networking in Simple Language

NetworkLessons.com provides a useful way to obtain full understanding of networking protocols, technologies and the essence of computer networks. Presented in a simple language it gives the possibility to quickly find an explanation about networking questions you are interested in.

Jurijus JakstoNetwork EngineerOctober 25, 2017

Learning Networking Made Easy!

Networklessons has been a great tool in my journey through learning networking, and in working towards Cisco certifications. Rene does a fantastic job of taking something complicated, and making it easy to understand. I highly recommend this site!

Pete GemakasNetwork AnalystOctober 27, 2015

To the Point, Clear & Well Explained

As a CCNP Switch 300-115 student, I want topics described and explained in simple, concise and brief terms. Rene does just that! No frills, no waffle...just facts! I like the way he builds on topics, taking you from beginning, intermediate to advanced material. If I need to go back to basics or revisit a forgotten topic, I can access all the CCNA material on the site. I find this an excellent resource: CCNA, CCNP all in one place. It's an excellent site for revision. Rene himself is accessible if needs be. You can copy the printed material and it pastes perfectly formatted into word. In terms of training material, this is by far the best value for money on the net.

Seamus KeaneSupport Engineer CCNASeptember 10, 2015

Simple & Effective Explanations

Very knowledgeable. NetworkLessons.com explains complex topics with great simplicity. Sometimes I asked for some advice during my studies and someone at the forum always answered me. Rene is humble and kind and has great communicative skills. It's easy to learn with his lessons. He is certainly one of the best teachers I've ever met.

Andrea D'OrsiNetwork EngineerJanuary 30, 2017

A Very Valuable Resource

I consider NetworkLessons.com to be a very valuable resource for all Network Engineers, regardless of their experience level. You'll find a very large number of topics explained thoroughly, in a simple and easy to understand manner, using scenarios to help you better relate to the solution.

Brett LarkinsNetwork EngineerJuly 3, 2017

Absolutely Brilliant

"Networking in Plain English" - this is what's promised and is delivered by Networklessons.com. I regularly visit the courses and lessons to understand a lot of complicated concepts.

Muhammad JavedNetwork AdministratorApril 15, 2016

Now Everyone can Learn Networking!

I found Networklessons.com to provide me very detailed explanations which can guide me from a novice layman to become a networking professional in a very short time. Before I became a member, I thought I knew something about OSPF, BGP, EIGRP, MPLS etc. but now I relealize I did not. A lot of the 'small pixel' how it really works I didn't know at all, but now with help of Networklessons.com I am so confident and know what all of these topics are about. Networklessons.com is not only a website containing lessons to me, but also a consultant which can help and answer the technical issues of networking. Rene answers all my questions with a prompt response. My thanks to Networklessons.com and Rene!

Davis WongNetwork EngineerFebruary 29, 2016

A Godsend!

NetworkLessons.com explains everything in such an understandable way. For years I've been reading Cisco Press books and websites over and over to grasp concepts, but on Networklessons.com, I grasp concepts immediately and retain them better. Thank you!

Jeremi RichardsonNetwork EngineerJune 7, 2017

Boosted my Self-Confidence!

I am preparing for CCIE to upgrade my career. Before I found my theory knowledge was lacking to study CCIE. I was feeling depressed, but then I found NetworkLessons.com! The monthly fee is very affordable. I already learned CCIE and OSPF from your lessons. All topics area very clear, even on difficult items like LSA Types, Path Selection, Filtering, and Summarization. I got SO much self-confidence from your teachings! I believe I will get my CCIE number thanks to your lessons and explanations. Much Obliged and thanks!

May ZinNetwork EngineerMay 8, 2017

Useful & Easy

What I like about NetworkLessons.com, is it offers the ability to go back to the fundamentals of networking. Which always come up, even if I am working on more complex technologies. The simplified nature of the labs of NetworkLessons.com makes rebuilding them a breeze. I also like that new technologies and lessons are constantly being added.

Ryan MiltonNetwork EngineerSeptember 23, 2016

Clarity, Pedagogy & Useful

I'm working to obtain the Cisco CCNP R&S certification and NetworkLessons.com makes me more understandable Cisco's technologies. Thanks a lot Renee for the quality of your lessons!